Generalize the acme-switch-certs reload mechanism

Provide a run-parts reload directory for services to put their custom reload scripts in. Replaces the previous hard-coded reload of nginx, which isn't appropriate on non-frontend hosts.

Generalize the acme-switch-certs reload mechanism
5ebfb329 · ale · 38bf7abe · 5ebfb329 · 5ebfb329 · 5ebfb329
Commit 5ebfb329 authored 5 years ago by ale
--- a/roles/acme-storage/files/acme-switch-certs
+++ b/roles/acme-storage/files/acme-switch-certs
@@ -3,6 +3,14 @@
 # Periodically check the contents of the repository managed by
 # replds@acme, and merge it onto /etc/credentials/public.
 #
+# Implements a notification hook by executing all scripts found
+# in the /etc/acme-storage/reload-hooks directory whenever there
+# are changes in the certificates. This is a pretty broad
+# mechanism that might be unsuitable for services using just a
+# single certificate: to avoid them restarting too often, the
+# approach found in acme-reload-frontend (for instance) might
+# be more appropriate.
+#

 public_creds_dir=/etc/credentials/public
 replds_dir=/var/lib/replds/acme
@@ -15,7 +23,7 @@ rsync_files_changed=$( \
 )

 if [ "$rsync_files_changed" -gt 0 ]; then
-    systemctl reload nginx
+    run-parts /etc/acme-storage/reload-hooks
 fi

 exit 0
--- a/roles/acme-storage/tasks/main.yml
+++ b/roles/acme-storage/tasks/main.yml
@@ -58,3 +58,8 @@
    dest: /etc/cron.d/acme-switch-certs
    content: "3-59/15 * * * * root /usr/sbin/acme-switch-certs >/dev/null 2>&1\n"

+- name: Create the ACME reload hooks directory
+  file:
+    path: /etc/acme-storage/reload-hooks
+    state: directory
+
--- a/roles/nginx/tasks/nginx.yml
+++ b/roles/nginx/tasks/nginx.yml
@@ -169,13 +169,18 @@
  notify: "reload firewall"

 # Misc setup.
- name: Install acme-reload-nginx script
+- name: Install acme reload hook
  copy:
-    src: acme-reload-nginx
-    dest: /usr/local/bin/acme-reload-nginx
+    content: "#!/bin/sh\nsystemctl reload nginx\n"
+    dest: /etc/acme-storage/reload-hooks/nginx
    mode: 0755

- name: Install acme-reload-nginx cron job
-  copy:
-    src: acme-reload-nginx.cron
-    dest: /etc/cron.d/acme-reload-nginx
+# Misc cleanup of old files.
+- name: Remove obsolete files
+  file:
+    path: "{{ item }}"
+    state: absent
+  with_items:
+    - /usr/local/bin/acme-reload-nginx
+    - /etc/cron.d/acme-reload-nginx
+